Last Week in Security (LWiS) - 2022-01-25

PrinterLogic RCEs (@TheParanoids), Java app analysis (@infosec_au), DCSync from Linux (@n00py1), timed race conditions (@itscachemoney), ManageEngine auth bypass (@sourceincite), Windows driver RE methods (@Void_Sec), Sliver 1.5 with BOF support (@LittleJoeTables), and more!

Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the previous week. This post covers 2022-01-18 to 2022-01-25.

News

Techniques

Tools and Exploits

  • chrome-bandit is a proof of concept to show how your saved passwords on Google Chrome and other Chromium-based browsers can easily be stolen by any malicious program on macOS.
  • TREVORproxy is a SOCKS proxy written in Python that randomizes your source IP address. Round-robin your evil packets through SSH tunnels or give them billions of unique source addresses!
  • chronorace is a tool to accurately perform timed race conditions to circumvent application business logic. Well timed race conditions can allow for uncovering all kinds of interesting edge cases. Here is a good example.
  • RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks, it first collects the syscall numbers of the NtOpenFile, NtCreateSection, NtOpenSection and NtMapViewOfSection found in the LdrpThunkSignature array.
  • Sliver v1.5.0. This release has a lot of cool changes. My favorite is BOF support!
  • FunctionStomping is a new shellcode injection technique. Given as C++ header or standalone Rust program. Currently undetected by hollows-hunter.
  • SharpGhosting is Process Ghosting (x64 only) in C#.
  • CVE-2021-45467: CWP CentOS Web Panel – preauth RCE. File inclusion + directory traversal = RCE.

New to Me

This section is for news, techniques, and tools that weren't released last week but are new to me. Perhaps you missed them too!

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing. This post is cross-posted on SIXGEN's blog.